On Thu, 25 Oct 2018 10:53:56 +0100, Ricardo Mestre wrote: > If we pass `file' via args then we need to unveil(2) it with read permission, > otherwise if omitted we need to unveil(2) both _PATH_UNIX and _PATH_KSYMS wit > h > same permissions. > > Unconditionally we need to also unveil(2) dbdir, which by default is > _PATH_VARDB but can be changed via args (-o directory), with read/write/creat > e > permissions. There are a couple of temp files that will be created but it's > inside dbdir so there's no need to unveil(2) them individually. > > Since we already call pledge(2) before, twice, we need to add "unveil" promis > e > to both of them, and finally call pledge(2) once again with the needed promis > es > except "unveil".
OK millert@ - todd
